wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-06-25 06:31:14 +02:00
Code Activity

Chown structured attr files safely

Browse source
This commit is contained in:
Eelco Dolstra 2025-06-12 12:30:32 +02:00 committed by Jörg Thalheim
parent a4b5584fb1
commit 9af4c267c6
1 changed files with 22 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

33
src/libstore/unix/build/derivation-builder.cc
View file

@ -316,6 +316,13 @@ protected:
*/ */
void chownToBuilder(int fd, const Path & path); void chownToBuilder(int fd, const Path & path);
/**
* Create a file in `tmpDir` owned by the builder.
*/
void writeBuilderFile(
const std::string & name,
std::string_view contents);
/** /**
* Run the builder's process. * Run the builder's process.
*/ */
@ -1069,16 +1076,10 @@ void DerivationBuilderImpl::initEnv()
} else { } else {
auto hash = hashString(HashAlgorithm::SHA256, i.first); auto hash = hashString(HashAlgorithm::SHA256, i.first);
std::string fn = ".attr-" + hash.to_string(HashFormat::Nix32, false); std::string fn = ".attr-" + hash.to_string(HashFormat::Nix32, false);
Path p = tmpDir + "/" + fn; writeBuilderFile(fn, rewriteStrings(i.second, inputRewrites));
AutoCloseFD passAsFileFd{openat(tmpDirFd.get(), fn.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC | O_EXCL | O_NOFOLLOW, 0666)};
if (!passAsFileFd)
throw SysError("opening `passAsFile` file in the sandbox '%1%'", p);
writeFile(passAsFileFd, p, rewriteStrings(i.second, inputRewrites));
chownToBuilder(passAsFileFd.get(), p);
env[i.first + "Path"] = tmpDirInSandbox() + "/" + fn; env[i.first + "Path"] = tmpDirInSandbox() + "/" + fn;
} }
} }
} }
/* For convenience, set an environment pointing to the top build /* For convenience, set an environment pointing to the top build
@ -1153,11 +1154,9 @@ void DerivationBuilderImpl::writeStructuredAttrs()
auto jsonSh = StructuredAttrs::writeShell(json); auto jsonSh = StructuredAttrs::writeShell(json);
writeFile(tmpDir + "/.attrs.sh", rewriteStrings(jsonSh, inputRewrites)); writeBuilderFile(".attrs.sh", rewriteStrings(jsonSh, inputRewrites));
chownToBuilder(tmpDir + "/.attrs.sh");
env["NIX_ATTRS_SH_FILE"] = tmpDirInSandbox() + "/.attrs.sh"; env["NIX_ATTRS_SH_FILE"] = tmpDirInSandbox() + "/.attrs.sh";
writeFile(tmpDir + "/.attrs.json", rewriteStrings(json.dump(), inputRewrites)); writeBuilderFile(".attrs.json", rewriteStrings(json.dump(), inputRewrites));
chownToBuilder(tmpDir + "/.attrs.json");
env["NIX_ATTRS_JSON_FILE"] = tmpDirInSandbox() + "/.attrs.json"; env["NIX_ATTRS_JSON_FILE"] = tmpDirInSandbox() + "/.attrs.json";
} }
} }
@ -1285,6 +1284,18 @@ void DerivationBuilderImpl::chownToBuilder(int fd, const Path & path)
throw SysError("cannot change ownership of file '%1%'", path); throw SysError("cannot change ownership of file '%1%'", path);
} }
void DerivationBuilderImpl::writeBuilderFile(
const std::string & name,
std::string_view contents)
{
auto path = std::filesystem::path(tmpDir) / name;
AutoCloseFD fd{openat(tmpDirFd.get(), name.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC | O_EXCL | O_NOFOLLOW, 0666)};
if (!fd)
throw SysError("creating file %s", path);
writeFile(fd, path, contents);
chownToBuilder(fd.get(), path);
}
void DerivationBuilderImpl::runChild() void DerivationBuilderImpl::runChild()
{ {
/* Warning: in the child we should absolutely not make any SQLite /* Warning: in the child we should absolutely not make any SQLite